Research

Can debloated containers pass the zero CVE test?

Paul Gibert, Chainguard Visiting Researcher

November 20, 2023

copied

TL;DR: An analysis of 28 debloated images reveals that these images contain, on average, 33 CVEs, a mean reduction of 64 percent compared to the baseline. [If this was a grade-school test, that would be a solid D.]

‍

There are at least two approaches to “hardening” container images. The minimal approach crafts images using a “lightweight”, security-focused Linux distribution, such as Wolfi. Minimal images have relatively few packages and therefore fewer known common vulnerabilities and exposures (CVEs) at any given point in time. When known CVEs do occur, fast package version updates and vulnerability patches prevent their accumulation.

‍

While the minimal method pursues security from the ground up, a second method takes the opposite approach. Image “debloating” reduces CVEs by removing unessential components from a preexisting (or “baseline”) image. When expendable components are removed, the CVEs associated with these components are also removed. The question is: Can debloated containers pass the zero CVE challenge, achieving zero or near-zero CVEs?

‍

We therefore sampled a set of 28 debloated container images, comparing the CVE counts (measured via Grype) among a baseline image, a debloated version, and a Chainguard Images version. While there are at least a couple known technical approaches for container debloating, this analysis used debloated containers provided by Rapidfort. Additionally, a sub-analysis examined the count of high or critical severity CVEs in each image version, assessing the ability of hardened images to reduce vulnerabilities to reduce vulnerabilities with high or critical common vulnerability scoring system (CVSS) scores.

‍

The key findings are:

‍

Debloated containers fail the zero CVE test. While debloated containers had 64% less CVEs than baseline images, these images still contained, on average, 33 CVEs.
‍Many debloated containers had lingering “high” and “critical” vulnerabilities. The average severe high and critical vulnerability count in debloated containers was five.

‍

First, this blog post defines and explains container debloating. After explaining data collection, the post analyzes debloated containers and their ability to pass the zero CVE test.

‍

What is container debloating?

‍

Debloating is the process of removing extraneous image components that go unused at runtime. This stands in contrast to Wolfi-based images, where the goal is to exclude such components in the first place. RapidFort’s technology, which produced the debloated images used in this comparison, operates in three steps:

‍

Step 1: Select an image to harden.

The user selects an image to harden, ranging from a simple curl installation based on Alpine to a fully-featured PostgreSQL installation running on top of Debian.

‍

Step 2: Generate and run a “stub” container.

To identify the extraneous contents of an image, the tool duplicates the image, called the stub, and sideloads runtime analysis tooling. The user runs the stub to execute tooling and application test cases and components are recorded as they are accessed.

‍

Step 3: Trim the fat.

Finally, the information from step 2 is used to remove any unused components from the original image. The result should be more lightweight and less vulnerable.

‍

Do Debloated Containers Pass the Zero CVE Test?

We sampled 28 images from RapidFort’s community image repository, the original (“baseline”) debloated subject from DockerHub, and the most comparable Chainguard Images equivalent. This totaled to 76 images because some Chainguard images were compared to multiple debloated images. RapidFort images with no comparable Chainguard counterpart were omitted. We scanned all images for CVEs using Grype v0.71.0 on October 19, 2023. Figure 1 displays the results.

‍

Figure 1. A plot of vulnerabilities per image. The mean number of vulnerabilities for each image vendor is plotted with a vertical dotted line. Vulnerabilities were counted using Grype v0.71.0 on October 19, 2023. — **Figure 1.** A plot of vulnerabilities per image. The mean number of vulnerabilities for each image vendor is plotted with a vertical dotted line. Vulnerabilities were counted using Grype v0.71.0 on October 19, 2023.

‍

On average, debloated images reduced the original CVE count by 64 percent. The mean number of CVEs was still 33. Chainguard images reduced the baseline by, on average, 99 percent and had a mean CVE count of nearly zero.

‍

Not all vulnerabilities are equally concerning, though. Security teams, when faced with hundreds to thousands of CVEs to remediate, often focus on only the most severe CVEs, those with either a “high” or “critical” severity according to CVSS. Figure 2 shows the totals for only these severe CVEs. On average, debloated images contained five.

‍

Figure 2. A plot of severe vulnerabilities per image. The mean number of severe vulnerabilities for each image vendor is plotted with a vertical dotted line. Vulnerabilities were counted using Grype v0.71.0 on October 19, 2023.

‍

Final Thoughts: How close do debloated containers come to passing the zero CVE test?

The debloated images, on average, contained 33 CVEs. This was a reduction of 64 percent compared to the baseline images. Chainguard images, by comparison, had an average of 0.1 CVEs for a 99 percent mean reduction compared to the baseline images. The same results hold when examining the reduction in high and critical CVEs.

‍

If you are looking to reach inbox-zero for CVEs please contact us.